Kerberos and Windows 2003 KDC

Unanswered Question
Jul 3rd, 2007
User Badges:


I'm trying to configure kerberos authentication for local users on Cisco. KDC is running under Windows 2003, but I got folowing error from debugging:

AAA/BIND(000002D4): Bind i/f

AAA/AUTHEN/LOGIN (000002D4): Pick method list 'default'

Kerberos: All dialogue with KDC will now use default interface as source

Kerberos: Sent TGT request to KDC

Kerberos: Received TGT reply from KDC

Kerberos: KRB_ERROR (code=52) returned

Kerberos(000002D4): Received invalid credential.

Where I can find those cisco KRB_ERROR codes?

Best regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Tue, 07/03/2007 - 11:19
User Badges:
  • Red, 2250 points or more

Hi Vladmir,

It's caused by AD needing to return a particularly large number of groups that a user belongs to, and trying to switch to TCP instead of UDP because of UDP packet size limits

Older versions of Kerberos don't support TCP, and thus don't know what to do.

Hope that helps !



vnovakov Wed, 07/04/2007 - 00:55
User Badges:

Thanks a lot for a quick answer. However, I am still confused how to solve this problem between Cisco and Windows AD.

I would like to use Kerberos to authenticate local Cisco users instead of radius authentication.

Under Windows 2003, I have created the user: cisco1, to be able to create keytab:

C:\Documents and Settings\admin>ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /pass PaSsWoRd123 /out cisco.keytab /princ host/[email protected] /mapuser [email protected]

Targeting domain controller:

Successfully mapped host/ to cisco1.

Key created.

Output keytab to cisco.keytab:

Keytab version: 0x502

keysize 68 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL)

vno 4 etype 0x1 (DES-CBC-CRC) keylength 8 (0x233d1f4c91341029)

Account cisco1 has been set for DES-only encryption.

Cisco configuration:

aaa authentication login default krb5 local

username ciscoadmin password 7 ********

username joe password 7 ********

Comment: ciscoadmin and joe users under AD are members of 7 groups and they have different password than local users ciscoadmin and joe under cisco router.

kerberos local-realm COMPANY.LOCAL

kerberos srvtab entry host/[email protected]

kerberos server COMPANY.LOCAL

kerberos preauth encrypted-kerberos-timestamp

kerberos credentials forward

Does Cisco kerberos client under IOS Version 12.4(12) using TCP or it's using UDP protocol only?



Jagdeep Gambhir Thu, 07/05/2007 - 10:08
User Badges:
  • Red, 2250 points or more


What kind of users we are trying to authenticate, like VPN or wireless etc ?



vnovakov Thu, 07/05/2007 - 11:15
User Badges:


Just a local cisco user that should has access to router and run some set of show commands.

The same username is active in AD.

With radius it's working but swithing to kerberos is making this problem above.




This Discussion